Penetration Testing Summit 2010 – tenablesecurity.com
The SANS Penetration Testing Summit was held this year at the Hyatt Baltimore in Baltimore, MD on June 14 – 15 and was focused on “What Works in Penetration Testing”.

Resources:

Metasploit 101 – darknet-consulting.com
Are you a security professional that needs to learn the basis of metasploit but haven’t found a source?

Astalanumerator 0.7 – thespanner.co.uk
This version contains various CSS fixes and tracks each object within links and via the astalanumerator object.

WATOBO – THE Web Application Toolbox – sourceforge.net/apps/mediawiki/watobo/
WATOBO is intended to enable security professionals to perform highly efficient (semi-automated ) web application security audits. We are convinced that the semi-automated approach is the best way to perform an accurate audit and to identify most of the vulnerabilities.

Web Historian: Reloaded – mandiant.com
This release is a complete rewrite and revamp of our very popular web history extraction tool.

Websecurify 0.6RC2 Is Available for Download – websecurify.com
0.6RC2 fixes several bugs detected during the 0.6RC1 stage (thanks for the bug submissions), improves on the UI and introduces more internal changes to simplify and enhance future developments of the platform.

Techniques:

Turning XSS into Clickjacking – ha.ckers.org
Those of us who do a lot of work in the security world have come to realize that there is a ton of cross site scripting (XSS) out there.

A Zero-day Connection – symantec.com
While investigating the recent Adobe Remote Code Execution Vulnerability, we came across some interesting similarities to the malware and shellcode that were used in the ‘iepeers.dll’ Remote Code Execution tacks from March 2010.

Meterpreter for Pwned Home Pages – metasploit.com
About a year ago, while looking through various buggy, backdoored PHP shells, I decided it might be useful to have some of Meterpreter’s networking features in the web’s most pwnable language.

Lighttpd and Slowloris – ha.ckers.org
I had heard various different reports from people who use lighttpd during the initial investigation of slowloris that it was not vulnerable.

Using DNS to Find High Value Targets – ha.ckers.org
Because companies tend to point their DNS to those SaaS providers for white labeling, often you’ll see a convergence of a lot of sub-domains all pointing to a single IP address or set of IP addresses.

Post Exploitation Pivoting with the Windows 7 Vault – securitybraindump.blogspot.com
While I generally agree with this, the emerging capabilities of attack and forensic tools that acquire volatile memory from a host (and consequently decrypted credentials), only require a bit more patience.

Brute Force with THC Hydra – attackvector.org
Sometimes the only way in is to resort to password cracking (or, “brute forcing”). I would consider this to be another one of those last resort methods that I use when all else has failed.

Clickjack Baddie Whack – symantec.com
To prevent these kinds of attacks it’s important to use caution when browsing the Web, but unfortunately this can only go so far, and it’s not really feasible to disable JavaScript altogether because of the key role it plays in today’s Web.

Security Risks in Asynchronous Patch Release Schedules – fortinet.com
As software becomes more complex and integrate, code becomes shared and recycled. If a security risk (vulnerability) were to be discovered and fixed in the main trunk of code, it should also be fixed through its derivatives at the same time.

Anti-waf-software-security-only-zealotry – jeremiahgrossman.blogspot.com
Recently on Twitter I asked why some people feel oddly compelled to rely upon the shortcomings of Web Application Firewalls (WAFs) as a means to advocate for a Secure Development Lifecycle (SDL).

Sharing data remotely through Metasploit – happypacket.net
I’m working on some more integration between tools, but for now I have written a db module for Metasploit’s XMLRPC engine which allows remote processes to get information from the database.

Finding Interesting Database Data – digininja.org
In one of the early chapters he discusses the Asprox Botnet and explains the way it trawls through any databases it finds looking for columns that are of a type that will take text.

Offensive attacks and the World Cup 2010 – securelist.com
The cyber criminals didn’t want to lose such “good” opportunity for them and already took advantage in some ways like sending spam leading to phishing sites, to spread malware and so on.

Leave A Comment

About Us

Infosec Events is dedicated to the growing information security industry. We strive to provide useful information and resources to those in the industry. Don't hesitate to contact us should you need anything.